US20080016566A1 - Process to thwart denial of service attacks on the internet - Google Patents
Process to thwart denial of service attacks on the internet Download PDFInfo
- Publication number
- US20080016566A1 US20080016566A1 US11/774,060 US77406007A US2008016566A1 US 20080016566 A1 US20080016566 A1 US 20080016566A1 US 77406007 A US77406007 A US 77406007A US 2008016566 A1 US2008016566 A1 US 2008016566A1
- Authority
- US
- United States
- Prior art keywords
- server
- attack
- packets
- tcp
- syn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Definitions
- the present invention relates generally to providing security from attacks made on the legitimate operation of computer networks such as the Internet, and, more specifically, to a technique that can reduce the problems that occur when an attempt is made to interfere with the operation of a network by a coordinated denial of service attack.
- DoS attack One of the most common and dangerous types of attacks is known as the Denial of Service (DoS) attack.
- DoS attacks are designed to bring down a computer or network by overloading it with a large amount of network traffic using TCP, UDP, or ICMP data packets. On their own, these packets look harmless, making them easily allowed through a company's routers and firewalls. As indicated by its name, DoS attack denies the appropriate service from legitimate customers by overloading both the network and the attacked server.
- CSDoS Coordinated SYN DoS attack
- SYN packets which are the first packet in the TCP connection establishment protocol
- forged sender IP addresses the attacker creates both a very large amount of entries in the victim server's TCP connection table, as well as a very high load on the links that connect that server to the Internet.
- SYN/ACK packets which are the TCP reply packets to SYN packets
- the entries in the connection tables stay until they are timed out.
- RFC 2827 talks about these attacks and suggests ways to block packets with forged sender IP addresses.
- the manufacturers of layer 4-7 switches 1 promote the use of these devices to filter out unwanted traffic and for load balancing that can be used to alleviate the load from a Network Intrusion Detection (NID) systems.
- NID Network Intrusion Detection
- these techniques have not been successful because the efficacy of ingress filtering (as described in RFC 2827) and like techniques depends heavily on voluntarily cooperation from every individual network in the Internet.
- such approaches are costly to operate, and are subject to the negative effects of misconfigured access lists. 1
- layer 4-7 switches refers to this type of devices, in general. Where there are differences between layer 4 and layer 7 switches, these differences are pointed out.
- existing Internet content delivery infrastructure which includes a network of interconnected programmable layer 4-7 switches, is modified in order to fight coordinated SYN denial of service (CSDoS) attacks.
- the layer 4-7 switch is arranged to divert a small fraction of SYN packets originating in one or more clients and destined to various servers, to a web guard processor.
- the web guard processor serves as one terminating end of a first complete TCP connection with the client originating the packet, and, upon the establishment of this first TCP connection, opens a new TCP connection to the server and transfers the data between these two connections. It also monitors the number of timed-out connections to clients of each server.
- the web guard processor When a CSDoS attack is in progress, the number of the forged attack packets and hence the number of timed-out connections increases significantly. If this number exceeds a predetermined threshold amount, the web guard processor declares that this server is under attack. It then reprograms the switch to divert all traffic (i.e. SYN packets) destined to this server to the web guard processor, or to delete all SYN packets to the server in question. If the number of timed-out connections increases, it can also inform other web guard processors, and/or try to find the real originating hosts for the forged packets. In either event, the server is thus shielded from, and does not feel the effects of, the DoS attack.
- SYN packets all traffic i.e. SYN packets
- a network of interconnected layer 4-7 switches is enhanced to improve its ability to thwart CSDoS attacks, by arranging the switches to forward SYN packets to respective TCP proxies that each operate without an associated cache, and are therefore inexpensive to install and operate.
- TCP proxies when subject to a CSDoS attack, will not successfully establish a TCP connection with a malicious host, due to the nature of the attack itself Accordingly, no connections will be made from the TCP proxies to the server under attack, and the server will be protected.
- FIG. 1 is a block diagram of the infrastructure elements presently found in the Internet
- FIG. 2 is a block diagram similar to FIG. 1 showing a web guard processor 201 arranged in accordance with the principles of the present invention to work cooperatively with switch 131 ; and
- FIG. 3 is a flow diagram of the process performed in web guard processor 201 of FIG. 2 .
- Internet 100 includes a plurality of interconnected routers 150 - 154 , and layer 4-7 switches 130 - 132 .
- the arrangement and capabilities of these elements is well known to those skilled in the art. Examples of level 4 switches are switches in the IPW or XTM WebDirector family available from Lucent Technologies.
- Examples of layer 7 switches are the switches in the AppSwitchTM 3500 family available from Top Layer Networks.
- client 104 is shown as being connected to Internet 100 via a router 140 within an Intranet 140 .
- This arrangement is meant simply to illustrate that the Internet is not a unitary arrangement, but consists of many interconnected individual networks of elements, some of which are referred to as Intranets or private networks.
- a server 120 within an Intranet 122 is shown as being connected to Internet 100 via a firewall 121 .
- server 120 can be the victim of a coordinated denial of service attack that the present invention is designed to prevent.
- web cache 160 is connected to switch 132
- web cache 161 is connected to switch 131 .
- a client such as client 102 is seeking information from server 120
- a TCP packet addressed to server 120 and containing a “HTML get request” is routed through internet 100 from the client computer toward server 120 .
- the path taken illustratively is via switch 130 to switch 131 .
- the latter switch is a layer 4-7 switch, it is arranged to decide whether to route a request to server 120 , or to a cache 161 connected to the switch, depending upon the identity of the specific file requested.
- Switch 131 is also arranged to handle TCP termination inside the switch. Note that if switch 131 is a layer 7 switch, the web guard processor functionality could be placed inside the switch, rather than on a separate device coupled to the switch.
- switch 131 receives the TCP packet, the destination address is examined, and if a translation entry is found, the packet is routed to web cache 161 rather than to server 120 .
- the TCP connection originated at client 102 is terminated at that cache.
- Web cache 161 then checks the HTML “get” request to determine if the required context can be delivered from the local cache. If so, the cache just sends the file to the client. Otherwise, the cache opens a new TCP connection to server 120 , retrieves the file, and sends it to client 102 .
- the architecture and arrangement of the context delivery system shown FIG. 1 is meant to be illustrative only, since numerous different methods of connection are currently in use, and other mechanisms, not shown in FIG. 1 , are also possible. Elements in the arrangement serve multiple functions; for example, Layer 4-7 switches are used both for routing of packets as well as for load balancing and filtering.
- the web cache which is generally an expensive element of the context delivery arrangement, includes both storage capability as well as logic needed to figure out which of the files wanted by clients are stored locally, deliver them, retrieve copies of files which are unavailable locally (or of which the local copy is not updated), deliver them, and decide whether to keep a local copy.
- FIG. 2 which includes a web guard processor 201 operating in cooperation with a layer 4 - 7 switch, such as switch 131 in FIG. 2 .
- Web guard processor 201 which includes a processor and memory capabilities, can be an external element, operating cooperatively with a layer 4 switch.
- web guard processor 201 can be a logical element built into the hardware present in a layer 7 switch. The process performed in the web guard processor is illustrated in flow diagram form in FIG. 3 .
- Web guard processor 201 is arranged to terminate the TCP connection from the client from which the SYN packet originated, and upon the establishment of the two-way TCP connection with the client (through the normal TCP interaction), to open a new TCP connection to the server and to transfer data between these two elements.
- Web guard processor 201 also monitors, in step 303 , the number of timed out connections from client accessing each server S. When this number increases beyond a first predetermined threshold B 1s (say more than 2 in the last minute), a YES result occurs in web guard processor 201 in step 303 , which indicates that server S may be under attack. The process then proceeds to step 305 , in which switch 131 is reprogrammed to divert all traffic (i.e. SYN packets) destined for server S, to the web guard processor 201 .
- SYN packets all traffic
- step 309 web guard processor 201 continues to monitor the number of timed out connections to each server S. When this number continues to exceed a second predetermined threshold B 2S web guard processor 201 , a YES result occurs in step 309 , which indicates that server S is indeed under attack.
- step 313 web guard processor 201 is arranged to reprogram switch 131 to delete all SYN packets destined for server S.
- web guard processor 201 can, in step 313 , send a message to server S alerting it that an attack is in progress, inform other web guard processors, and try to find the real hosts originating the forged packets.
- An alarm can then be generated, in step 315 , indicating the alarm condition, which continues for a predetermined time T. After expiration of this waiting period in step 317 , the process returns to step 303 .
- step 309 If the number of timed out connections does not exceed the second predetermined threshold B 2s , the result in step 309 is NO, and the complete packet diversion that was instituted in step 305 is reset. At this point, the switch 131 is directed to again divert only a predetermined small fraction of the SYN packets destined to server S, to web guard processor 201 (same as in step 301 ). The process then returns to step 303 .
- the present invention is premised on the fact that when a CSDoS attack is in progress, the number of the forged attack packets increases significantly, and therefore some of them will most likely be sent to the web guard processor 201 . This will result in TCP time-outs, allowing the attack to be detected and then blocked, as explained above.
- FIG. 1 Another, more basic approach to fighting a CSDoS attack may be used in accordance with another embodiment of the present invention.
- the content delivery infrastructure described in FIG. 1 consisting of a network of interconnected layer 4-7 switches, is modified so that web caches 160 and 161 are replaced with a simple network element that only deals with the TCP connections, and does not cache any data locally.
- TCP proxy a simple network element that only deals with the TCP connections, and does not cache any data locally.
- TCP proxy a simple network element that only deals with the TCP connections, and does not cache any data locally.
- TCP proxy we call this element a “TCP proxy”.
- a combination of web guard processors and TCP proxies can be implemented in a single network element.
- the elements of the present invention can be combined with other context delivery techniques, such as DNS based redirection, on order to maximize the benefits achieved by the present invention.
- DNS based redirection can be used to force packets destined for a particular server to be routed through a web guard processor or to be routed to a switch having an associated TCP proxy.
Abstract
Description
- This application is a continuation of commonly owned pending U.S. patent application Ser. No. 09/672,206, filed Sep. 28, 2000, entitled A PROCESS TO THWART DENIAL OF SERVICE ATTACKS ON THE INTERNET, which application is incorporated by reference herein as if set forth in its entirety.
- The present invention relates generally to providing security from attacks made on the legitimate operation of computer networks such as the Internet, and, more specifically, to a technique that can reduce the problems that occur when an attempt is made to interfere with the operation of a network by a coordinated denial of service attack.
- As computer networks and the Internet become more critical for many businesses, guaranteeing the appropriate operation at a reasonable service level becomes a top priority. Allowing business services over the Internet makes the organization's network much more vulnerable to attacks, which may reduce performances or even bring the entire network down. For this reason, network security, and in particular protecting the network against malicious attacks, has also become increasingly significant for many businesses.
- One of the most common and dangerous types of attacks is known as the Denial of Service (DoS) attack. DoS attacks are designed to bring down a computer or network by overloading it with a large amount of network traffic using TCP, UDP, or ICMP data packets. On their own, these packets look harmless, making them easily allowed through a company's routers and firewalls. As indicated by its name, DoS attack denies the appropriate service from legitimate customers by overloading both the network and the attacked server.
- One specific form of the DoS attack is the Coordinated SYN DoS attack (CSDoS). In this attack, several malicious hosts, working on a coordinated basis and therefore operating essentially simultaneously, send only SYN packets (which are the first packet in the TCP connection establishment protocol) towards an intended victim server, using forged sender IP addresses. In this way, the attacker creates both a very large amount of entries in the victim server's TCP connection table, as well as a very high load on the links that connect that server to the Internet. The use of forged sender IP addresses makes the server send its SYN/ACK packets (which are the TCP reply packets to SYN packets) to non existing addresses, and thus the entries in the connection tables stay until they are timed out. In addition, there is no easy way to find out the addresses of the compromised malicious hosts, thus preventing an effort to filter out packets from these hosts.
- RFC 2827 talks about these attacks and suggests ways to block packets with forged sender IP addresses. The manufacturers of layer 4-7 switches1 promote the use of these devices to filter out unwanted traffic and for load balancing that can be used to alleviate the load from a Network Intrusion Detection (NID) systems. However, these techniques have not been successful because the efficacy of ingress filtering (as described in RFC 2827) and like techniques depends heavily on voluntarily cooperation from every individual network in the Internet. Furthermore, such approaches are costly to operate, and are subject to the negative effects of misconfigured access lists.
1There is often some confusion regarding terminology among experts in the field, relating to layer 4 and layer 7 switches. In this specification, “layer 4-7 switches” refers to this type of devices, in general. Where there are differences between layer 4 and layer 7 switches, these differences are pointed out.
- In accordance with one embodiment of the present invention, existing Internet content delivery infrastructure, which includes a network of interconnected programmable layer 4-7 switches, is modified in order to fight coordinated SYN denial of service (CSDoS) attacks. During normal operation, the layer 4-7 switch is arranged to divert a small fraction of SYN packets originating in one or more clients and destined to various servers, to a web guard processor. The web guard processor serves as one terminating end of a first complete TCP connection with the client originating the packet, and, upon the establishment of this first TCP connection, opens a new TCP connection to the server and transfers the data between these two connections. It also monitors the number of timed-out connections to clients of each server. When a CSDoS attack is in progress, the number of the forged attack packets and hence the number of timed-out connections increases significantly. If this number exceeds a predetermined threshold amount, the web guard processor declares that this server is under attack. It then reprograms the switch to divert all traffic (i.e. SYN packets) destined to this server to the web guard processor, or to delete all SYN packets to the server in question. If the number of timed-out connections increases, it can also inform other web guard processors, and/or try to find the real originating hosts for the forged packets. In either event, the server is thus shielded from, and does not feel the effects of, the DoS attack.
- In accordance with another embodiment of the present invention, a network of interconnected layer 4-7 switches is enhanced to improve its ability to thwart CSDoS attacks, by arranging the switches to forward SYN packets to respective TCP proxies that each operate without an associated cache, and are therefore inexpensive to install and operate. These TCP proxies, when subject to a CSDoS attack, will not successfully establish a TCP connection with a malicious host, due to the nature of the attack itself Accordingly, no connections will be made from the TCP proxies to the server under attack, and the server will be protected.
- The present invention will be more fully appreciated from a consideration of the following Detailed Description, which should be read in light of the accompanying drawings in which:
-
FIG. 1 is a block diagram of the infrastructure elements presently found in the Internet; -
FIG. 2 is a block diagram similar toFIG. 1 showing aweb guard processor 201 arranged in accordance with the principles of the present invention to work cooperatively withswitch 131; and -
FIG. 3 is a flow diagram of the process performed inweb guard processor 201 ofFIG. 2 . - In order to put the present invention in the appropriate context, it will be helpful to first review the infrastructure elements presently in use by context delivery companies and Internet Service Providers (ISPs) to provide fast and reliable delivery of information to users over the Internet. Referring to
FIG. 1 , a group of users or clients 101-104 are shown at workstations or home computers that are connected to various elements in the Internet 100. Internet 100 includes a plurality of interconnected routers 150-154, and layer 4-7 switches 130-132. The arrangement and capabilities of these elements is well known to those skilled in the art. Examples of level 4 switches are switches in the IPW or X™ WebDirector family available from Lucent Technologies. Examples of layer 7 switches are the switches in the AppSwitch™ 3500 family available from Top Layer Networks. InFIG. 1 ,client 104 is shown as being connected to Internet 100 via arouter 140 within anIntranet 140. This arrangement is meant simply to illustrate that the Internet is not a unitary arrangement, but consists of many interconnected individual networks of elements, some of which are referred to as Intranets or private networks. Likewise, inFIG. 1 , aserver 120 within anIntranet 122 is shown as being connected to Internet 100 via afirewall 121. Here again, this depiction is illustrative of the fact that content is contained on servers likeserver 120 within the networks (Intranet 122) of content providers, and that some protection is currently afforded by software arrangements such asfirewall 121 which try to block unauthorized access.Server 120 can be the victim of a coordinated denial of service attack that the present invention is designed to prevent. - In order to provide clients with faster access to content, context delivery companies and ISPs have used elements, called web caches, to act as alternate sources of content. In
FIG. 1 ,web cache 160 is connected toswitch 132, andweb cache 161 is connected toswitch 131. If a client, such asclient 102 is seeking information fromserver 120, a TCP packet addressed toserver 120 and containing a “HTML get request” is routed throughinternet 100 from the client computer towardserver 120. The path taken illustratively is viaswitch 130 to switch 131. If the latter switch is a layer 4-7 switch, it is arranged to decide whether to route a request toserver 120, or to acache 161 connected to the switch, depending upon the identity of the specific file requested.Switch 131 is also arranged to handle TCP termination inside the switch. Note that ifswitch 131 is a layer 7 switch, the web guard processor functionality could be placed inside the switch, rather than on a separate device coupled to the switch. Whenswitch 131 receives the TCP packet, the destination address is examined, and if a translation entry is found, the packet is routed toweb cache 161 rather than to server 120. The TCP connection originated atclient 102 is terminated at that cache.Web cache 161 then checks the HTML “get” request to determine if the required context can be delivered from the local cache. If so, the cache just sends the file to the client. Otherwise, the cache opens a new TCP connection toserver 120, retrieves the file, and sends it toclient 102. - The architecture and arrangement of the context delivery system shown
FIG. 1 is meant to be illustrative only, since numerous different methods of connection are currently in use, and other mechanisms, not shown inFIG. 1 , are also possible. Elements in the arrangement serve multiple functions; for example, Layer 4-7 switches are used both for routing of packets as well as for load balancing and filtering. The web cache, which is generally an expensive element of the context delivery arrangement, includes both storage capability as well as logic needed to figure out which of the files wanted by clients are stored locally, deliver them, retrieve copies of files which are unavailable locally (or of which the local copy is not updated), deliver them, and decide whether to keep a local copy. - In accordance with the present invention, the undesirable effects created by CSDoS attacks are eliminated by using the arrangement of
FIG. 2 , which includes aweb guard processor 201 operating in cooperation with a layer 4-7 switch, such asswitch 131 inFIG. 2 .Web guard processor 201, which includes a processor and memory capabilities, can be an external element, operating cooperatively with a layer 4 switch. Alternatively,web guard processor 201 can be a logical element built into the hardware present in a layer 7 switch. The process performed in the web guard processor is illustrated in flow diagram form inFIG. 3 . - During normal operation, i.e., before a CSDoS attack is detected,
switch 131 is arranged to divert, instep 301, a predetermined small fraction of the SYN packets destined to each server S, toweb guard processor 201. This may be accomplished by establishing a probability P (say P=0.02) with which any given SYN packet destined to server S will be diverted.Web guard processor 201 is arranged to terminate the TCP connection from the client from which the SYN packet originated, and upon the establishment of the two-way TCP connection with the client (through the normal TCP interaction), to open a new TCP connection to the server and to transfer data between these two elements. -
Web guard processor 201 also monitors, instep 303, the number of timed out connections from client accessing each server S. When this number increases beyond a first predetermined threshold B1s (say more than 2 in the last minute), a YES result occurs inweb guard processor 201 instep 303, which indicates that server S may be under attack. The process then proceeds to step 305, in which switch 131 is reprogrammed to divert all traffic (i.e. SYN packets) destined for server S, to theweb guard processor 201. These diverted packets can simply remain inweb guard processor 201 without harming the operation of server S; alternatively,web guard processor 201 can be arranged even at this point to reprogramswitch 131 to delete all SYN packets destined for server S. However, as explained below in connection withstep 309, this drastic action is not usually taken at this point in the process. If desired, an alarm signal can be generated instep 307, indicating that server S is under attack. If the threshold is not reached instep 303, a NO result causes the process to return to and repeatstep 303. - The process continues to step 309, in which
web guard processor 201 continues to monitor the number of timed out connections to each server S. When this number continues to exceed a second predetermined threshold B2Sweb guard processor 201, a YES result occurs instep 309, which indicates that server S is indeed under attack. Then instep 313,web guard processor 201 is arranged to reprogramswitch 131 to delete all SYN packets destined for server S. In addition,web guard processor 201 can, instep 313, send a message to server S alerting it that an attack is in progress, inform other web guard processors, and try to find the real hosts originating the forged packets. An alarm can then be generated, instep 315, indicating the alarm condition, which continues for a predetermined time T. After expiration of this waiting period instep 317, the process returns to step 303. - If the number of timed out connections does not exceed the second predetermined threshold B2s, the result in
step 309 is NO, and the complete packet diversion that was instituted instep 305 is reset. At this point, theswitch 131 is directed to again divert only a predetermined small fraction of the SYN packets destined to server S, to web guard processor 201 (same as in step 301). The process then returns to step 303. - From the foregoing description, it is seen that the present invention is premised on the fact that when a CSDoS attack is in progress, the number of the forged attack packets increases significantly, and therefore some of them will most likely be sent to the
web guard processor 201. This will result in TCP time-outs, allowing the attack to be detected and then blocked, as explained above. - Another, more basic approach to fighting a CSDoS attack may be used in accordance with another embodiment of the present invention. In this embodiment, the content delivery infrastructure described in
FIG. 1 , consisting of a network of interconnected layer 4-7 switches, is modified so thatweb caches - Various modifications and enhancements of the present invention are possible, and for that reason, the present invention is to be limited only by the following claims. For example, a combination of web guard processors and TCP proxies can be implemented in a single network element. Also, the elements of the present invention can be combined with other context delivery techniques, such as DNS based redirection, on order to maximize the benefits achieved by the present invention. Specifically, DNS based redirection can be used to force packets destined for a particular server to be routed through a web guard processor or to be routed to a switch having an associated TCP proxy.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/774,060 US7627677B2 (en) | 2000-09-28 | 2007-07-06 | Process to thwart denial of service attacks on the internet |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/672,206 US7251692B1 (en) | 2000-09-28 | 2000-09-28 | Process to thwart denial of service attacks on the internet |
US11/774,060 US7627677B2 (en) | 2000-09-28 | 2007-07-06 | Process to thwart denial of service attacks on the internet |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/672,206 Continuation US7251692B1 (en) | 2000-09-28 | 2000-09-28 | Process to thwart denial of service attacks on the internet |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080016566A1 true US20080016566A1 (en) | 2008-01-17 |
US7627677B2 US7627677B2 (en) | 2009-12-01 |
Family
ID=38290401
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/672,206 Expired - Lifetime US7251692B1 (en) | 2000-09-28 | 2000-09-28 | Process to thwart denial of service attacks on the internet |
US11/774,060 Expired - Fee Related US7627677B2 (en) | 2000-09-28 | 2007-07-06 | Process to thwart denial of service attacks on the internet |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/672,206 Expired - Lifetime US7251692B1 (en) | 2000-09-28 | 2000-09-28 | Process to thwart denial of service attacks on the internet |
Country Status (1)
Country | Link |
---|---|
US (2) | US7251692B1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020083175A1 (en) * | 2000-10-17 | 2002-06-27 | Wanwall, Inc. (A Delaware Corporation) | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
US20100099421A1 (en) * | 2008-10-17 | 2010-04-22 | Verizon Corporate Services Group, Inc. | Efficient messaging over internet protocol |
WO2012093193A1 (en) * | 2011-01-07 | 2012-07-12 | Nokia Corporation | Method and apparatus for statistical handling of connections |
US20160323299A1 (en) * | 2015-04-28 | 2016-11-03 | Arbor Networks, Inc. | System and method to detect and mitigate tcp window attacks |
US9548961B2 (en) * | 2007-03-27 | 2017-01-17 | Amazon Technologies, Inc. | Detecting adverse network conditions for a third-party network site |
CN110166408A (en) * | 2018-02-13 | 2019-08-23 | 北京京东尚科信息技术有限公司 | Defend the methods, devices and systems of extensive aggression |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8051176B2 (en) | 2002-11-07 | 2011-11-01 | Hewlett-Packard Development Company, L.P. | Method and system for predicting connections in a computer network |
US8209371B2 (en) * | 2002-11-07 | 2012-06-26 | Hewlett-Packard Development Company, L.P. | Method and system for managing communication in a computer network using aliases of computer network addresses |
US8010685B2 (en) * | 2004-11-09 | 2011-08-30 | Cisco Technology, Inc. | Method and apparatus for content classification |
US7535909B2 (en) | 2004-11-09 | 2009-05-19 | Cisco Technology, Inc. | Method and apparatus to process packets in a network |
US7936682B2 (en) * | 2004-11-09 | 2011-05-03 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
US20070140121A1 (en) * | 2005-12-21 | 2007-06-21 | Chris Bowman | Method of preventing denial of service attacks in a network |
US20070140275A1 (en) * | 2005-12-21 | 2007-06-21 | Chris Bowman | Method of preventing denial of service attacks in a cellular network |
KR100789722B1 (en) * | 2006-09-26 | 2008-01-02 | 한국정보보호진흥원 | The method and system for preventing malicious code spread using web technology |
EP2009862B1 (en) * | 2007-06-29 | 2012-11-14 | Nokia Siemens Networks Oy | Method for protection a network through port blocking |
CN100579003C (en) * | 2007-11-08 | 2010-01-06 | 华为技术有限公司 | Method and system for preventing TCP attack by utilizing network stream technology |
US8943570B1 (en) * | 2010-12-02 | 2015-01-27 | Cellco Partnership | Techniques for providing enhanced network security |
CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
WO2016036134A1 (en) * | 2014-09-02 | 2016-03-10 | Samsung Electronics Co., Ltd. | Apparatus and method for controlling tcp connections in a wireless communication system |
CN105991632A (en) * | 2015-04-20 | 2016-10-05 | 杭州迪普科技有限公司 | Network security protection method and device |
US11010237B2 (en) * | 2019-02-08 | 2021-05-18 | Accenture Global Solutions Limited | Method and system for detecting and preventing an imminent failure in a target system |
US11122075B2 (en) * | 2019-07-03 | 2021-09-14 | Netflix, Inc. | Attack mitigation in a packet-switched network |
CN112311731A (en) * | 2019-07-29 | 2021-02-02 | 联合汽车电子有限公司 | Vehicle-mounted processor, vehicle-mounted controller and communication method |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5991881A (en) * | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
US20020031134A1 (en) * | 2000-09-07 | 2002-03-14 | Poletto Massimiliano Antonio | Device to protect victim sites during denial of service attacks |
US20020032871A1 (en) * | 2000-09-08 | 2002-03-14 | The Regents Of The University Of Michigan | Method and system for detecting, tracking and blocking denial of service attacks over a computer network |
US20020035698A1 (en) * | 2000-09-08 | 2002-03-21 | The Regents Of The University Of Michigan | Method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time |
US6487204B1 (en) * | 1999-05-12 | 2002-11-26 | International Business Machines Corporation | Detectable of intrusions containing overlapping reachabilities |
US6578147B1 (en) * | 1999-01-15 | 2003-06-10 | Cisco Technology, Inc. | Parallel intrusion detection sensors with load balancing for high speed networks |
US20030110394A1 (en) * | 2000-05-17 | 2003-06-12 | Sharp Clifford F. | System and method for detecting and eliminating IP spoofing in a data transmission network |
US6609205B1 (en) * | 1999-03-18 | 2003-08-19 | Cisco Technology, Inc. | Network intrusion detection signature analysis using decision graphs |
-
2000
- 2000-09-28 US US09/672,206 patent/US7251692B1/en not_active Expired - Lifetime
-
2007
- 2007-07-06 US US11/774,060 patent/US7627677B2/en not_active Expired - Fee Related
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5991881A (en) * | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
US6578147B1 (en) * | 1999-01-15 | 2003-06-10 | Cisco Technology, Inc. | Parallel intrusion detection sensors with load balancing for high speed networks |
US6609205B1 (en) * | 1999-03-18 | 2003-08-19 | Cisco Technology, Inc. | Network intrusion detection signature analysis using decision graphs |
US6487204B1 (en) * | 1999-05-12 | 2002-11-26 | International Business Machines Corporation | Detectable of intrusions containing overlapping reachabilities |
US20030110394A1 (en) * | 2000-05-17 | 2003-06-12 | Sharp Clifford F. | System and method for detecting and eliminating IP spoofing in a data transmission network |
US20020031134A1 (en) * | 2000-09-07 | 2002-03-14 | Poletto Massimiliano Antonio | Device to protect victim sites during denial of service attacks |
US20020032871A1 (en) * | 2000-09-08 | 2002-03-14 | The Regents Of The University Of Michigan | Method and system for detecting, tracking and blocking denial of service attacks over a computer network |
US20020035698A1 (en) * | 2000-09-08 | 2002-03-21 | The Regents Of The University Of Michigan | Method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020083175A1 (en) * | 2000-10-17 | 2002-06-27 | Wanwall, Inc. (A Delaware Corporation) | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
US7707305B2 (en) * | 2000-10-17 | 2010-04-27 | Cisco Technology, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
US9548961B2 (en) * | 2007-03-27 | 2017-01-17 | Amazon Technologies, Inc. | Detecting adverse network conditions for a third-party network site |
US20100099421A1 (en) * | 2008-10-17 | 2010-04-22 | Verizon Corporate Services Group, Inc. | Efficient messaging over internet protocol |
US8503300B2 (en) * | 2008-10-17 | 2013-08-06 | Verizon Patent And Licensing Inc. | Efficient messaging over internet protocol |
WO2012093193A1 (en) * | 2011-01-07 | 2012-07-12 | Nokia Corporation | Method and apparatus for statistical handling of connections |
US9439237B2 (en) | 2011-01-07 | 2016-09-06 | Nokia Technologies Oy | Method and apparatus for statistical handling of connections |
US20160323299A1 (en) * | 2015-04-28 | 2016-11-03 | Arbor Networks, Inc. | System and method to detect and mitigate tcp window attacks |
US9749340B2 (en) * | 2015-04-28 | 2017-08-29 | Arbor Networks, Inc. | System and method to detect and mitigate TCP window attacks |
CN110166408A (en) * | 2018-02-13 | 2019-08-23 | 北京京东尚科信息技术有限公司 | Defend the methods, devices and systems of extensive aggression |
Also Published As
Publication number | Publication date |
---|---|
US7251692B1 (en) | 2007-07-31 |
US7627677B2 (en) | 2009-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7627677B2 (en) | Process to thwart denial of service attacks on the internet | |
US7870611B2 (en) | System method and apparatus for service attack detection on a network | |
Kargl et al. | Protecting web servers from distributed denial of service attacks | |
US7770215B2 (en) | Method for protecting a firewall load balancer from a denial of service attack | |
EP2105003B1 (en) | Method and apparatus to control application messages between a client and a server having a private network address | |
US7260639B2 (en) | Method and system for protecting web sites from public internet threats | |
US20060212572A1 (en) | Protecting against malicious traffic | |
US20070195774A1 (en) | Systems and methods for access port ICMP analysis | |
KR20060116741A (en) | Method and apparatus for identifying and disabling worms in communication networks | |
WO2002025402A2 (en) | Systems and methods that protect networks and devices against denial of service attacks | |
WO2003050644A2 (en) | Protecting against malicious traffic | |
US20040243843A1 (en) | Content server defending system | |
EP1461704B1 (en) | Protecting against malicious traffic | |
Noureldien et al. | A stateful inspection module architecture | |
Chen | Aegis: An active-network-powered defense mechanism against ddos attacks | |
Ganger et al. | Finding and containing enemies within the walls with self-securing network interfaces | |
Zaraska | Ids active response mechanisms: Countermeasure subsytem for prelude ids | |
Noureldien et al. | A Method for Defeating DoS/DDoS TCP SYN flooding Attack | |
Argyraki et al. | Protecting Public-Access Sites Against Distributed Denial-of-Service Attacks | |
Abouzakhar et al. | Counteracting network distributed attacks: an intelligent approach to minimise the TCP/IP protocol threats using agents technology | |
Hai et al. | Distributed defense of Distributed DoS using Pushback and Communicate mechanism | |
Ganger et al. | Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces (CMU-CS-03-109) | |
Valli et al. | Security Problems and Their Defenses in TCP/IP Protocol Suite | |
Stevens et al. | Design and Implementation of Secure, Content-Based Traffic Control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ALCATEL-LUCENT USA INC., NEW JERSEY Free format text: MERGER;ASSIGNOR:LUCENT TECHNOLOGIES INC.;REEL/FRAME:023090/0280 Effective date: 20081101 Owner name: ALCATEL-LUCENT USA INC.,NEW JERSEY Free format text: MERGER;ASSIGNOR:LUCENT TECHNOLOGIES INC.;REEL/FRAME:023090/0280 Effective date: 20081101 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:ALCATEL-LUCENT USA INC.;REEL/FRAME:030510/0627 Effective date: 20130130 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: ALCATEL-LUCENT USA INC., NEW JERSEY Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:033950/0261 Effective date: 20140819 |
|
FPAY | Fee payment |
Year of fee payment: 8 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20211201 |